feature: build: add --disable-sandbox-check configure flag

This flag disables the code which checks whether the current instance of firejail is running within a sandbox like LXC, chroot or firejail itself. If we want to develop firejail inside of a sandbox, to keep the "host system" clean of unnecessary installed dependencies and changes to the system, we might want to force firejail to run normally, so that we can test different profiles inside of the sandbox. This is only meant for people who are working on the firejail code, not someone attempting to run firejail inside of a sandbox as a user, because it needs to run as root and it can escape the sandbox easily.
netblue30 · Dec 28, 2024 · 1f7e9d6 · 1f7e9d6
1 parent d81fead
commit 1f7e9d6
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/config.mk.in b/config.mk.in
@@ -44,6 +44,7 @@ HAVE_OUTPUT=@HAVE_OUTPUT@
 HAVE_OVERLAYFS=@HAVE_OVERLAYFS@
 HAVE_PRIVATE_HOME=@HAVE_PRIVATE_HOME@
 HAVE_PRIVATE_LIB=@HAVE_PRIVATE_LIB@
+HAVE_SANDBOX_CHECK=@HAVE_SANDBOX_CHECK@
 HAVE_SELINUX=@HAVE_SELINUX@
 HAVE_SUID=@HAVE_SUID@
 HAVE_USERNS=@HAVE_USERNS@
@@ -65,6 +66,7 @@ MANFLAGS = \
 	$(HAVE_OVERLAYFS) \
 	$(HAVE_PRIVATE_HOME) \
 	$(HAVE_PRIVATE_LIB) \
+	$(HAVE_SANDBOX_CHECK) \
 	$(HAVE_SELINUX) \
 	$(HAVE_SUID) \
 	$(HAVE_USERNS) \

diff --git a/configure b/configure
@@ -674,6 +674,7 @@ PKG_CONFIG_PATH
 PKG_CONFIG
 HAVE_APPARMOR
 HAVE_IDS
+HAVE_SANDBOX_CHECK
 DEPS_CFLAGS
 TAR
 STRIP
@@ -733,6 +734,7 @@ ac_user_opts='
 enable_option_checking
 enable_analyzer
 enable_sanitizer
+enable_sandbox_check
 enable_ids
 enable_apparmor
 enable_selinux
@@ -1391,6 +1393,9 @@ Optional Features:
   --enable-analyzer       enable GCC static analyzer
   --enable-sanitizer=[address | memory | undefined]
                           enable a compiler-based sanitizer (debug)
+  --disable-sandbox-check checking if current instance of firejail is running
+                          within a sandbox is disabled, only use this when
+                          developing firejail inside of a sandbox
   --enable-ids            enable ids
   --enable-apparmor       enable apparmor
   --enable-selinux        SELinux labeling support
@@ -3955,6 +3960,21 @@ esac
 fi
 
 
+fi
+
+HAVE_SANDBOX_CHECK=""
+
+# Check whether --enable-sandbox-check was given.
+if test ${enable_sandbox_check+y}
+then :
+  enableval=$enable_sandbox_check;
+fi
+
+if test "x$enable_sandbox_check" != "xno"
+then :
+
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+
 fi
 
 HAVE_IDS=""
@@ -5793,6 +5813,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11

diff --git a/configure.ac b/configure.ac
@@ -69,6 +69,14 @@ AS_IF([test "x$enable_sanitizer" != "xno" ], [
 	], [AC_MSG_ERROR([sanitizer not supported: $enable_sanitizer])])
 ])
 
+HAVE_SANDBOX_CHECK=""
+AC_SUBST([HAVE_SANDBOX_CHECK])
+AC_ARG_ENABLE([sandbox-check],
+	      [AS_HELP_STRING([--disable-sandbox-check], [checking if current instance of firejail is running within a sandbox is disabled, only use this when developing firejail inside of a sandbox])])
+AS_IF([test "x$enable_sandbox_check" != "xno"], [
+	HAVE_SANDBOX_CHECK="-DHAVE_SANDBOX_CHECK"
+])
+
 HAVE_IDS=""
 AC_SUBST([HAVE_IDS])
 AC_ARG_ENABLE([ids],
@@ -324,6 +332,7 @@ Features:
    overlayfs support: $HAVE_OVERLAYFS
    private home support: $HAVE_PRIVATE_HOME
    private lib support: $HAVE_PRIVATE_LIB
+   sandbox check: $HAVE_SANDBOX_CHECK
    SELinux labeling support: $HAVE_SELINUX
    user namespace: $HAVE_USERNS
    X11 sandboxing support: $HAVE_X11

diff --git a/src/firejail/main.c b/src/firejail/main.c
@@ -1124,6 +1124,7 @@ int main(int argc, char **argv, char **envp) {
 	// If LXC is detected, start firejail sandbox
 	// otherwise try to detect a PID namespace by looking under /proc for specific kernel processes and:
 	//	- start the application in a /bin/bash shell
+#ifdef HAVE_SANDBOX_CHECK
 	if (check_namespace_virt() == 0) {
 		EUID_ROOT();
 		int rv = check_kernel_procs();
@@ -1139,6 +1140,7 @@ int main(int argc, char **argv, char **envp) {
 			__builtin_unreachable();
 		}
 	}
+#endif
 
 	// profile builder
 	if (check_arg(argc, argv, "--build", 0)) // supports both --build and --build=filename